Accession Number:



A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR)

Descriptive Note:

Technical Report

Corporate Author:


Report Date:


Pagination or Media Count:



This technical note describes the methodology we used and the observations we made while mapping thedeclarative statements found in the Federal Financial Institutions Examination Council FFIECCybersecurity Assessment Tool CAT to the practice questions found in the US-CERT Cyber ResilienceReview CRR. This mapping enables financial organizations to use CRR results not only to gauge theircyber resilience, but to examine their current baseline with respect to the FFIEC CAT and the NationalInstitute of Standards and Technology NIST Cybersecurity Framework CSF. The mapping in thistechnical note is proposed by three senior engineers from the CERT Division of the Carnegie MellonUniversity Software Engineering Institute these engineers are skilled in conducting CRRs and familiar withall practice questions and question guidance. Two also have the advantage of several years of experience inthe financial sector. The team relied on their experience along with previous mappings of the CRR andFFIEC CAT to the NIST CSF to propose the mapping in this technical note.The FFIEC published the CAT in June 2015 for financial institutions to use in assessing their cybersecurityreadiness. The United States Department of Homeland Security DHS produced a similar assessment, theCyber Resilience Review CRR version 2.0, in October 2011. The CRR is based on Carnegie MellonUniversitys CERT Resilience Management Model RMM and is used by DHS in support of PresidentialPolicy Directive PPD-21 WH 2013a to encourage the adoption of the NIST CSF. While the CRR predatesthe establishment of the NIST CSF, the inherent principles and recommended practices within the CRRalign closely with the central tenets of the CSF. Both the CAT and the CRR instruments map well to theNIST CSF. PPD-21 required NIST to create the CSF, and both documents support the implementation.

Subject Categories:

  • Computer Programming and Software
  • Computer Systems Management and Standards

Distribution Statement: